Making Economics a
Cyber-Security Weapon
Scott Borg
Director (CEO) and Chief Economist
U.S. Cyber Consequences Unit
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved.
If you are a cyber-security professional,
what is your job?
(from a business standpoint)
What were you hired for?
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
2
The ultimate goal of cyber security:
Reduce Cyber Risk
But . . .
can you say what this is?
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
3
Risk =
Expected Loss Over Time =
Threat x Consequence x Vulnerabilities
Frequency of a given attack type with an associated skill level
x Potential business loss from that attack
x Extent to which that loss would occur,
given a specific set of policies and counter-measures
= Annualized Expected Loss
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
4
Of the three risk factors,
Threat, Consequence, and Vulnerability . . .
the hardest to understand is Consequence
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
5
What does a business or government agency do to create value?
OUTPUTS
(Outputs are benefits gained)
Customer
Businesses take Inputs
and turn them into Outputs.
Value
Creation
Supplier
(Inputs are benefits lost)
INPUTS
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
6
MEASURING A PRODUCTIVE ACTIVITY
OUTPUTS
Willingnessto-Pay
Customer
Total Value
Created
Value
Creation
Supplier
INPUTS
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
Opportunity
Cost
7
A CHANGE IN THE VALUE CREATED: WHAT SUBSTITUTES
Willingnessto-Pay
Customer
Willingnessto-Pay
Supplier
Opportunity
Cost
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
Opportunity
Cost
8
Protecting “High Value Assets” Is the Wrong Approach!




The value of an asset doesn’t correlate with
damage that could be done by attacking it
Value in business doesn’t reside in things; value is
something the business is continually creating
Value is created by the way things work together,
not by their separate outputs
Cyber attacks can do 9serious damage without doing
anything observable to assets
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
9
Making Cyber Risk Quantitative by Unpacking the Components
THREAT
CONSEQUENCE
VULNERABILITIES
Value Differential
3
4
5
Corruptible
Concealable
Irreversible
Targets
2
Penetrable
Motives
1
Findable
Attackers
Business Effects
I. Interrupting
II. Corrupting
III. Discrediting
IV. Undermining
Capabilities
Threat x Consequence x Vulnerabilities = Risk
Frequency of a given attack type x Potential Loss x Extent to which the loss
would occur = Annualized Expected Loss
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
10
Being able to estimate cyber risk and say how it is
changed by different cyber-security measures . . .
 Will give you an objective basis for every cyber-security
choice
 Will justify your budget
 Will allow you to determine the ROI for your activities
 Will give you a solid business defense of your actions if
something goes wrong (i.e., save your job)
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
11
But estimating cyber risk is hard, because
you might not know enough yet about . . .
 The potential attackers, their motives, how they choose
attacks, what their capabilities are, and how these factors are
changing over time
 Where and how your organization creates value, where its
potential liabilities are, and what would happen in the event of
an attack
 How your organization’s vulnerabilities would affect attacker
activities and success rates collectively, rather than one-by-one
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
12
What should you do in the meantime?
(if you don’t have enough information to estimate risks)
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
13
The stepping-stone goal for cyber security:
Increase Attacker Costs
(while holding down attacker gains)
You already know a lot about how to do this!
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
14
Ask yourself —
What hurdles would an attacker need to overcome to carry
out a profitable attack? (Hint: never just penetration)
How much time and skill would it take to overcome these
hurdles?
How can the time and skill required from an attacker be
most effectively increased?
You will probably find you can even make quantitative
estimates of these things!
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
15
Attacker cost is the real guide to hitting
attackers where it hurts!
(Even a modest-sized business can typically
increase attacker costs by a factor of 10 or 100!)
This is how to make the game of cyber
security into one you can win!
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
16
Winning:
 If you can make the costs of attacking your
systems greater than the benefits from attacking
them, you have won absolutely!
 If you can make the return-on-investment for
attacking your organization considerably worse
than for attacking another target, you have won
relatively!
Not as good a guide as quantifying risk (notice why!),
but the next best thing
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
17
What economics is most fundamentally about:
Not cash flows and markets!
Maximizing the benefits gained, relative to
the benefits lost.
Attackers are already thinking this way.
You should be too!
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
18
For more information or permission to use this
material, please contact:
Scott Borg
U.S. Cyber Consequences Unit
P.O. Box 1390
Norwich, VT 05055
[email protected]
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit
19